On a typical Web page, it’s possible to load a script from another file. Typically, that bit of script will be something you, the site developer, will have put there yourself and it will be loaded from your server.

Download this free guide

Your Guide to Info Sec Certifications

We’ve collected 30+ certifications for you. Which vendor-neutral and vendor-specific security certifications are best for you? Save time by downloading our list organized by experience level.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

But it doesn’t have to be that way. It’s possible to load that script from just about anywhere and it’s also possible that someone malicious could use an input field on a form at your site to inject some scripting, or at least a call to invoke a script from elsewhere.

Since that injected script is probably up to no good, it would be nice to ensure that it can’t run. And that’s where the HTML Content Security Policy header comes in. As a new entry on the Neohapsis blog puts it:

CSP functions by allowing a web application to declare the source of where it expects to load scripts, allowing the client to detect and block malicious scripts injected into the application by an attacker.

Sounds good, right? But the Neohapsis folks have found that really getting a handle on CSP takes some practice and some experimentation. So to facilitate this, they’ve created the CSPplayground, which includes a number of things, but in particular includes a bunch of examples of CSP screwups.

Start the conversation

0 comments

Send me notifications when other members comment.

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy